Cyber Incident Victim: Radiant Capital
Date:
Oct 2024
Location:
United States of America
Summary
Radiant Capital suffered a sophisticated cyberattack involving a $50M loss, initiated when a developer received a malicious Telegram message impersonating a trusted former contractor. The message contained a ZIP file delivering INLETDRIFT malware, which established a persistent macOS backdoor while displaying a decoy PDF to evade detection. Attackers staged malicious smart contracts across multiple blockchain networks and manipulated front-end interfaces to conceal malicious transactions during signing, bypassing standard verification practices like transaction simulations. The intrusion is attributed to UNC4736, a DPRK-aligned threat actor linked to the Reconnaissance General Bureau, which removed forensic traces shortly after the theft. This incident highlights critical vulnerabilities in current DeFi security protocols, demonstrating how advanced adversaries can circumvent hardware wallets, simulations, and human review through meticulously orchestrated social engineering and technical subterfuge.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On September 11, 2024, a Radiant Capital developer received a Telegram message appearing to originate from a trusted former contractor, discussing a new smart contract auditing opportunity and requesting feedback on a zipped PDF document. The message and associated domain convincingly mimicked the contractor’s legitimate communications, bypassing initial scrutiny. This PDF delivery mechanism was routine within Radiant’s professional operations, leading the developer to share the file internally. Forensic analysis later determined the ZIP file contained INLETDRIFT malware, concealed within an application bundle named Penpie_Hacking_Analysis_Report.zip. The malware executed an AppleScript establishing persistence via a LaunchDaemon and communicated with the command-and-control domain atokyonews[.]com while displaying a decoy PDF to maintain the illusion of legitimacy. This compromise enabled attackers to gain persistent access to multiple developer devices despite Radiant’s existing security protocols, including transaction simulations in Tenderly and payload verification.
The attackers spent weeks prior to October 16 deploying malicious smart contracts across Arbitrum, Binance Smart Chain, Base, and Ethereum. On October 16, they executed the theft, resulting in approximately $50 million USD in losses, and erased traces of secondary backdoors and browser extensions within three minutes of the heist. Radiant Capital published a post-mortem on October 17 and engaged Mandiant for forensic analysis, which attributed the attack with high confidence to UNC4736 (also known as AppleJeus or Citrine Sleet), a DPRK-aligned threat actor operating under the Reconnaissance General Bureau with ties to TEMP.Hermit. Radiant DAO concurrently partnered with zeroShadow and Hypernative for on-chain asset tracking and enlisted SEAL 911 for supplementary support. The incident exposed critical vulnerabilities in transaction verification systems, as attackers manipulated front-end interfaces to display benign data while signing malicious transactions in the background, evading standard simulation checks. Radiant continues collaborating with U.S. law enforcement to freeze stolen assets and shares investigative findings to advance industry security practices.